Commit 77ae783a authored by Mark Adler's avatar Mark Adler

Fix a bug where invalid LZW data could cause out of bounds access.

parent 52ca317c
...@@ -3252,15 +3252,18 @@ local void unlzw(void) ...@@ -3252,15 +3252,18 @@ local void unlzw(void)
machine instruction!) */ machine instruction!) */
{ {
unsigned rem = ((g.in_tot - g.in_left) - mark) % bits; unsigned rem = ((g.in_tot - g.in_left) - mark) % bits;
if (rem) if (rem) {
rem = bits - rem; rem = bits - rem;
while (rem > g.in_left) { if (NOMORE())
rem -= g.in_left; break; /* end of compressed data */
if (load() == 0) while (rem > g.in_left) {
break; rem -= g.in_left;
if (load() == 0)
throw(EDOM, "%s: lzw premature end", g.inf);
}
g.in_left -= rem;
g.in_next += rem;
} }
g.in_left -= rem;
g.in_next += rem;
} }
buf = 0; buf = 0;
left = 0; left = 0;
...@@ -3294,15 +3297,16 @@ local void unlzw(void) ...@@ -3294,15 +3297,16 @@ local void unlzw(void)
/* flush unused input bits and bytes to next 8*bits bit boundary */ /* flush unused input bits and bytes to next 8*bits bit boundary */
{ {
unsigned rem = ((g.in_tot - g.in_left) - mark) % bits; unsigned rem = ((g.in_tot - g.in_left) - mark) % bits;
if (rem) if (rem) {
rem = bits - rem; rem = bits - rem;
while (rem > g.in_left) { while (rem > g.in_left) {
rem -= g.in_left; rem -= g.in_left;
if (load() == 0) if (load() == 0)
break; throw(EDOM, "%s: lzw premature end", g.inf);
}
g.in_left -= rem;
g.in_next += rem;
} }
g.in_left -= rem;
g.in_next += rem;
} }
buf = 0; buf = 0;
left = 0; left = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment